OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

Netiq Secure Login Amazon Web Services AD setup creation

0 Likes

AWS Microsoft Active Directory Setup

Installing and Configuring Oracle Virtual Box

This step explains how to download Oracle Virtual Box and the installation steps for the Virtual box creation. VirtualBox is a free desktop hypervisor you can use to run VMs locally on your workstation.

Download the Virtual box from here.

By clicking on the “Windows hosts” in the link: Downloads – Oracle VM VirtualBox, VirtualBox-7.0.16-162802-Win is downloaded to the local machine.

  1. Double click on the downloaded image and proceed with the onscreen instructions for the virtual box creation.
  2. Once the Virtual box is installed, you need to install Windows 11 image on the virtual machine locally. Download the Windows11 image from the link: Download Windows 11 (microsoft.com) and save the ISO to your local computer drive.
  3. Once the image is downloaded, power on the VM mounting the above downloaded ISO and press any key to continue for installation of Windows11 image on the VM.
  4. Below is the command prompt output post successful installation of the VM:

 

Setting up AWS User

  1. Create a new user in the AWS root account and use the same user for performing the remaining steps.
    1. Traverse to the AWS page: awslogin.publiccloud.microfocus.net
    2. Click into the search box at the top, and enter “IAM” as shown in the image below

 

                  Click “users” from the menu at left and click on add or create user and give the user details to be created.

  1. Enter a user name, and then under that, only check “Programmatic access“.  This user does not need console access, since you aren’t going to log into the web interface as this user.
  2. On the next screen, click “Attach existing policies directly”
  3. Click “Next” through tags.
  • Click “Create User” on the last page.
  • Its going to provide you with the Access Key ID and Secret Key on the screen.  It will also provide a link to a CSV so you can download those credentials.  This is the last time you can ever get these credentials.  There is no way to recover them later, so treat them accordingly.
  1. Create an S3 bucket and image copying:
    1. Log into the AWS account.
    2. In the search box at the top of the dashboard, type “S3” and select the S3 service, as shown below.
    3. Give your bucket a unique name and accept all the defaults.

 

3.Install and configure the AWS CLI 

            i. Download the AWS CLI from here => https://awscli.amazonaws.com/AWSCLIV2.msi

            ii. Follow the on-screen instructions and install the cli

            iii. Open a command prompt and type: aws configure

            iv.

     "Version": "2012-10-17",
     "Statement": [
     {
          "Effect": "Allow",
          "Principal": { "Service": "vmie.amazonaws.com" },
          "Action": "sts:AssumeRole",
          "Condition": {
               "StringEquals":{
                    "sts:Externalid": "vmimport"
               }
          }
     }
     ]
}
Upon prompt, enter the details asked for VIZ: AccessKey ID and Secret Key. Default region can be left default.

                                                               

  1. A role has to be created for import process and the role access needs to be given to the S3 bucket created in the above steps. The command takes JSON config file as input, hence json file has to be created as per below sample and saved as policy.json into the same directory as Windows11 VHD.

Sample policy.json file =>
     "Version": "2012-10-17",

     "Statement": [

     {

          "Effect": "Allow",

          "Principal": { "Service": "vmie.amazonaws.com" },

          "Action": "sts:AssumeRole",

          "Condition": {

               "StringEquals":{

                    "sts:Externalid": "vmimport"

               }

          }

     }

     ]

}

  1. Execute the below command in the CMD window,

aws iam create-role --role-name vmimport --assume-role-policy-document file://policy.json

  1. Next, we need to give access to our S3 bucket.  This will allow the import process to write to our S3 bucket.  This process also takes a json config file as an input.  Copy this one below, and save it into our working directory as role.json.  Make sure you edit the 2 occurences of ?YOURBUCKETNAMEHERE? with your actual bucket name.  NOTE that one of them ends in /*.  Make sure that survives, that is supposed to be there.

    {

     "Version": "2012-10-17",

     "Statement": [

     {

          "Effect": "Allow",

          "Action": [

               "s3:ListBucket",

               "s3:GetBucketLocation"

          ],

          "Resource": [

               "arn:aws:s3:::?YOURBUCKETNAMEHERE?"

          ]

     },

     {

          "Effect": "Allow",

          "Action": [

               "s3:GetObject"

          ],

          "Resource": [

               "arn:aws:s3:::?YOURBUCKETNAMEHERE?/*"

          ]

     },

     {

          "Effect": "Allow",

          "Action":[

               "ec2:ModifySnapshotAttribute",

               "ec2:CopySnapshot",

               "ec2:RegisterImage",

               "ec2:Describe*"

          ],

          "Resource": "*"

     }

     ]

}

  1. Then we run the command to use that config file.  Fire up your CMD window and run this:
    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role.json

 

  1. Upload VM to the AWS S3 bucket
  2. Execute the below command in the command prompt to upload the image from the local computer to the S3 bucket.
    aws s3 cp myvmname.vhd s3://mybucketname
    In that above example, change “myvmname.vhd” to the actual name of your VHD.  Change “mybucketname” to the actual name of your bucket. 
    Like below cmd :
  3. Create an Import Config File and Import the VM
    My Windows 10/11 VM is now in AWS!  Lets turn it on!” Not yet.  First we need to convert the VHD into an AMI, which is the image format that AWS uses for virtual machines.  They call them “instances”.
  4. Here is a sample.  Copy and paste this into notepad, then edit with your values.  Save the file as “containers.json” and put it into the same directory as your VHD and the other config file we made earlier.

Create containers.json file and import the image:

                                 [{

                                                           “Description”: “Windows 10 /11”,

                                                            “Format”: “vhd”,

                                                           “UserBucket”: {

                                                            “S3Bucket”: “put-your-bucket-name-here”,

                                                           “S3Key”: “put-your-ova-filename-here”

                                                           }

}]

 

 

  1. Import the VHD as an AMI by executing the command below:

aws ec2 import-image --description “Windows 10” --disk-containers file://containers.json

  1. The upload is happening in the AWS and the status of the same can be checked using the command:


aws ec2 describe-import-image-tasks

14. Create an EC2 instance from the AMI by following the below steps:

  1. Click on AMIS-> select your AMI -> and launch instance by selecting the values
  2.  
  3. Click on the connect to your instance as shown below :
  4.  
  5. Select RDP client and click on the download remote desktop file.
  6.  Then click on the open file and launch the instance.
    Expected result: Instance is launched successfully.

 Connecting the instance to the AWS AD domain and install SecureLogin:

  1. Connect to the win 11 ec1 instance to the aws AD domain
  2. Now download the NSL 9.x build and extract
  3. Install NSL in AD mode
  4. Restart the client
  5. Launch NSL (sltray) and perform the client tray operations (contd).

Configuring in an AWS Managed Microsoft Active Directory Environment

Before you install SecureLogin, you must first extend the schema.

Extending the AWS Managed Microsoft Active Directory Schema

Schemas are used by AWS Managed Microsoft AD to structure and regulate the storage of directory data. With a valid LDAP Data Interchange Format (LDIF) file, schema extensions enable you to alter the schema of your AWS Managed Microsoft AD directory.

You must create an LDIF file before extending the schema. To create an LDIF file, perform the following:

  1. Copy the following code and paste in any text editor:

#==================================================================

#

# This file contains SSO extensions for default ADAM schema.

# It should be imported with the following command:

#   ldifde -i -f sso-schema.ldf -s server:port -b username domain password -k -j . -c "CN=Configuration,DC=opennsl,DC=com" "#ConfigurationNamingContext"

#

#==================================================================

 

# Attributes

 

dn: CN=protocom-SSO-Entries,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Entries

attributeID: 1.2.840.113556.1.8000.60.1

attributeSyntax: 2.5.5.10

isSingleValued: FALSE

adminDescription: Protocom-SSO-Entries

oMSyntax: 4

lDAPDisplayName: protocom-SSO-Entries

systemOnly: FALSE

 

 

dn: CN=protocom-SSO-Auth-Data,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Auth-Data

attributeID: 1.2.840.113556.1.8000.60.2

attributeSyntax: 2.5.5.10

isSingleValued: FALSE

adminDescription: protocom-SSO-Auth-Data

oMSyntax: 4

lDAPDisplayName: protocom-SSO-Auth-Data

systemOnly: FALSE

 

 

dn: CN=protocom-SSO-Security-Prefs,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Security-Prefs

attributeID: 1.2.840.113556.1.8000.60.3

attributeSyntax: 2.5.5.10

isSingleValued: FALSE

adminDescription: protocom-SSO-Security-Prefs

oMSyntax: 4

lDAPDisplayName: protocom-SSO-Security-Prefs

systemOnly: FALSE

 

 

dn: CN=protocom-SSO-Entries-Checksum,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Entries-Checksum

attributeID: 1.2.840.113556.1.8000.60.5

attributeSyntax: 2.5.5.10

isSingleValued: FALSE

adminDescription: protocom-SSO-Entries-Checksum

oMSyntax: 4

lDAPDisplayName: protocom-SSO-Entries-Checksum

systemOnly: FALSE

 

 

dn: CN=protocom-SSO-Security-Prefs-Checksum,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Security-Prefs-Checksum

attributeID: 1.2.840.113556.1.8000.60.6

attributeSyntax: 2.5.5.10

isSingleValued: FALSE

adminDescription: protocom-SSO-Security-Prefs-Checksum

oMSyntax: 4

lDAPDisplayName: protocom-SSO-Security-Prefs-Checksum

systemOnly: FALSE

 

 

dn: CN=protocom-SSO-Profile,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: ntdsschemaadd

objectClass: attributeSchema

cn: protocom-SSO-Profile

attributeID: 1.2.840.113556.1.8000.60.7

attributeSyntax: 2.5.5.1

isSingleValued: TRUE

adminDescription: protocom-SSO-Profile

oMSyntax: 127

lDAPDisplayName: protocom-SSO-Profile

systemOnly: FALSE

 

dn:

changetype: modify

add: schemaUpdateNow

schemaUpdateNow: 1

-

 

# Classes

 

dn: CN=User,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: modify

add: mayContain

mayContain: protocom-SSO-Entries

mayContain: protocom-SSO-Auth-Data

mayContain: protocom-SSO-Security-Prefs

mayContain: protocom-SSO-Entries-Checksum

mayContain: protocom-SSO-Security-Prefs-Checksum

mayContain: protocom-SSO-Profile

-

 

dn: CN=Container,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: modify

add: mayContain

mayContain: protocom-SSO-Entries

mayContain: protocom-SSO-Auth-Data

mayContain: protocom-SSO-Security-Prefs

mayContain: protocom-SSO-Entries-Checksum

mayContain: protocom-SSO-Security-Prefs-Checksum

mayContain: protocom-SSO-Profile

-

 

dn: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=opennsl,DC=com

changetype: modify

add: mayContain

mayContain: protocom-SSO-Entries

mayContain: protocom-SSO-Auth-Data

mayContain: protocom-SSO-Security-Prefs

mayContain: protocom-SSO-Entries-Checksum

mayContain: protocom-SSO-Security-Prefs-Checksum

mayContain: protocom-SSO-Profile

-

 

dn:

changetype: modify

add: schemaUpdateNow

schemaUpdateNow: 1

#==================================================================

  1. Update all instances of DC=opennsl, DC=com with DC=<domain name>,DC=<domain extension> as per your requirement.
  2. Save the file with. ldif extension.

Import LDIF File

  1. In the AWS Directory Service console navigation pane, select Directories.
  2. On the Directories page, choose your directory ID.
  3. On the Directory details page, do one of the following:
    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Maintenance tab.
    • If you do not have any Regions showing under Multi-Region replication, choose the Maintenance tab.
  4. In the Schema extensions section, choose Actions, and then select Upload and update schema.
  5. In the dialog box, click Browse, select a valid LDIF file, type a description, and then choose Update Schema.

 

 

 

 

 

Tags:

Labels:

Other
Comment List
Related
Recommended